eReader: Why Digital Watermarking is Dangerous

Last week's news that J.K. Rowling has finally decided to publish the Harry Potter books in eBook form sent the news waves into a tizzy: after years of saying that she didn't want the books to be released digitally because she feared they would be pirated (a strange statement to make, since the books were already pirated online), she's finally announced that owning an eReader herself has opened her eyes to the possibilities of the device and the Harry Potter eBooks are to be released in October.

Interestingly, Rowling has chosen to announce that the books will only be released from her personal "Pottermore" site, and this announcement has sent out quite a few shockwaves of its own. With the majority of eReader devices having access to a "direct download" store like Amazon, Barnes & Noble, Sony, or Kobo, quite a few readers may not appreciate having to give up device-to-store benefits like syncing bookmarks and highlights, or being able to easily download their book to multiple devices on demand, like in the case of the B&N customer who can access their books from any PC running the Nook 4 PC app, any phone or tablet using the Nook 4 Android app, or any Nook device registered to their email address.

All this store-shunning and enforced side-loading however, has disappeared under the......interesting announcement that Harry Potter books will be "DRM-free", but with personalized digital watermarks. Which, to me, reads as the Harry Potter books will be "DRM-free", but with digital watermarking DRM.

"DRM" strictly stands for Digital Rights Management and quite simply was created to try to prevent mass-sharing of copyrighted works. DRM became quite controversial several years back when the music industry was going through growing pains, and now it seems that the publishing industry is intent on not learning from history.

Remember buying music from Musicmatch in the 90s? The whole thing was a pain and a half because you had a limited number of devices that could be authorized, and even if you had enough licenses on your account to buy a new portable music player, half the time when you got it home it turned out to be a brand that Musicmatch couldn't recognize. The DRM scheme turned out to increase file sharing because quite a few people would buy a music file at 99 cents from Musicmatch, and then "illegally" download a DRM-free copy of the song just so that they could play it on their devices. And then Musicmatch went under and everyone was out of luck.

In light of the Musicmatch fiasco, Amazon made a lot of customers happy by announcing they would sell DRM-free MP3 music files. They've been following that model for years now, and the customers are happy, the music industry hasn't collapsed, and file-sharing rates have stayed at pretty much the same level they've always been. The world has moved on, the publishing industry has been for the most part dragged into the current century, and we can all go buy Weird Al's latest song without fear that it won't work on whatever brand MP3 player we own.

Then eBooks were born, or rather started to enter the mainstream, and the publishing industry couldn't get enough DRM to satisfy them. Amazon developed their own DRM, only readable on Amazon devices. Barnes & Noble developed their own DRM, only readable on Barnes & Noble devices. Adobe developed a "standardized" DRM that the Overdrive library provider picked up, as well as Kobo and Sony, but it's still DRM and it's still a pain because not all devices can read the Adobe DRM.

And, of course, all this DRM did nothing but inconvenience actual customers, since the DRM-removal tools were released almost immediately after the DRMs were created. So in light of all this, Rowling's decision that the Harry Potter books will be DRM-free is quite awesome, no?

Not really, no.

Fundamentally, if Rowling really didn't want DRM on her books, she could sell them through Amazon and B&N and anyone else without using their DRM. When you put a book up for sale on the Kindle store or the NookBook store, Amazon/B&N lets you decide whether or not to use their DRM scheme, and many indie authors deliberately chose NOT to use the store's DRM because they understand that (a) it's not a piracy deterrent and (b) it annoys your readers and customers. So all this "Rowling had to avoid the booksellers so that she wouldn't have to use DRM" is so much smoke and mirrors.

The issue isn't that Rowling didn't want DRM on the Harry Potter books; the issue is that Rowling wants digital watermarking DRM, which the major booksellers don't currently offer as a choice to their publishers. You see, the DRM we've described above is only one kind of DRM -- the "lock" kind. The B&N DRM, for instance, applies a little digital lock on your book file and only the person with the key can open it. In the B&N DRM case, the "key" is a combination of your name and the last eight digits on your credit card. The digital watermarking that will be applied to Rowling's books doesn't work as a lock-and-key access, but it is DRM of the "trace" variety. According to the Inquirer announcement, the Harry Potter digital watermark will be used for tracking down the original owners of any files that end up on sharing sites:

To cope with the possibility of so-called 'piracy' the ebooks will feature a digital watermark that will identify who purchased the book. This will allow authorities to track down who shared an ebook with the rest of the world, and those users could be faced with lawsuits for copyright infringement.

Can you spot the logical flaws in that sentence? There are two. Firstly, digital watermarks don't just identify the file owner to the "authorities" -- they have the potential to identify the file owner to anyone with access to either the file or the publishers databases. Secondly, digital watermarks don't tell who shared the file; they tell who bought the file. Essentially, DWs are worrisome for two reasons: firstly, in the implementation of the link between one book file to one person, and secondly, in the trace-and-prosecute concept of digital policing.

On the implementation side, in order to link a book file to a person, the distributor of the book file has to have some identifying information about that person. When you visit a website to buy a product, you provide a variety of information: username, credit card number, IP address, physical address, and so on. Of all those pieces of information, the credit card number is easiest for the store to verify: if the purchase goes through and isn't flagged or contested, it must be a good number. Names, IP addresses, and physical addresses are much harder to verify as actually true, and most companies don't bother to try.

If the intent is to link a book file to an actual person, then unique information must be embedded in that book file that either corresponds directly to that person (so that when the Potter People sweep a torrent site and grab a HPSorcSt1.epub file, they can crack open the file and see "John Johnson, 6301 Bland Avenue, Apt. G, CC# as follows..." right there inside the file) or corresponds to a database that contains that person (so that when the Potter People crack open the file, they see 9861235897091831-9-0976C, which corresponds to "John Johnson, 6301 Bland Avenue, Apt. G, CC# as follows..." in their databases). In either case, it means that your personal identity information is stored forever in either an unsecure file that may live on multiple computer and eReader and phone devices or in a Pottermore database-o'-eternity that will soon become the Fort Knox for unethical hackers.

On the prosecution side, let's say the Potter People do pull down a HPSorcSt1.epub file and one way or another dig out the information "John Johnson, 6301 Bland Avenue, Apt. G, CC# as follows...", what then? John can't prove that his desktop computer wasn't hacked and the contents tossed up on that torrent site. John can't prove that when he used his laptop at the hotel, his data wasn't grabbed. John can't easily show that when his eReader or phone was using the McDonald's WiFi to download his book that it wasn't also snatched up by a nearby user. And John definitely can't easily show that his Dropbox cloud library was hacked by someone who mined all his data and tossed it all up on a torrent site for shits and giggles.

In the world we live in, digital rights lawsuits are becoming something of a guilty-until-proven innocent. Look at the Sony lawsuits, where they've sued Geohot -- and others -- for essentially rooting their PS3s. Rooting itself can be essentially innocent -- quite a few PS3 rooters do so to unlock the Linux capabilities of the device -- but the entire lawsuit was muddied by Sony's lawyers hooting about piracy at every possible turn. Geohot wasn't being prosecuted for piracy, he wasn't being sued for piracy, and what he was being sued for was only slightly tangentially related to piracy in the sense that pirated games are easier to run on a rooted device than a non-rooted one, but all we heard was the lawyers bleating that Geohot was some kind of cartoon villain who was stealing money from the mouths of game developers by showing people how to get root access to their purchased devices -- root access that people have been doing with phones and tablet computers en masse since about ten minutes after companies started locking their devices down and limiting their functionality.

You see, in the million-to-one chance that, say, a Baen eBook is stolen from you and loaded onto a torrent site without your knowledge, without a digital watermark you'll never be implicated in something that you didn't do, didn't know about, and couldn't prevent. On the other hand, in the million-to-one chance that, say, a Harry Potter eBook is stolen from you and loaded onto a torrent site without your knowledge, a digital watermark will mean that you get to face the collective might and legal power of the Rowling empire in a case where you literally cannot prove you didn't do it and where the lawyers will almost certainly be happy to paint you as a Snidely Whiplash esque villain.

That million-to-one chance is something that everyone has to decide for themselves, of course, but if the DW flavor of DRM gains in popularity, that million-to-one chance per eBook may start adding up over time. With one PC, one laptop, four eReaders (three of which have WiFi and/or 3G access), one smart phone, and a library-in-the-cloud, it's not a chance that I, personally, am willing to make.

In the meantime, I'm going to go listen to my DRM-free Weird Al songs. 

NOTE: Please don't link in the comments to any DRM-removal tools or sites explaining how to use them.


leianajade said...

Wow, thanks for sharing this information. It's not something that I would have put much thought into, but you're absolutely right - that sounds dangerous.

Redwood Rhiadra said...

Just want to say that Baen may not be the best example there - they actively *encourage* sharing of their ebooks. (As one example, hardcovers from some of their most popular authors include a CD with ebooks of *every*  book by that author, all in multiple unlocked formats - and the CD explictly says "go ahead and give this away, put it up on the web, torrent it, whatever. Just don't charge for it.) Baen and many of their authors (Flint, Weber, Bujold, and others) are of the firm belief that "piracy" actually encourages sales.

I love Baen :-)

Ana Mardoll said...

Redwood Rhiadra   I love Baen, too, and their "pro-sensible" stance (as I like to think of it) means that in addition to not lacing their books with DRM, they ALSO aren't going to waste valuable resources trying to prosecute an innocent victim who had their computer hacked.  Alas, with the industry the way it currently is, I can't be confident in naming any other "pro-sensible" publisher/ebook-provider. :(

Silver Adept said...

The assumption appears to be that if one can make an example of enough people by suing them for damages far in excess of what buying a book would be, one can discourage the sharing of works. Which, if you've ever been to a public library, is a fairly laughable idea. And if you've seen the statistics - many people actually buy books because they got to read it somewhere else and wanted a copy for themselves.

DRM right now is the publishers and developers of devices trying to lock you into one distribution channel and prevent you from using your content elsewhere or buying content elsewhere. That's like trying to stop the tides by commanding they go away.

DW-DRM is a publisher trying to kill a siege by poisoning the river leading into the defending castle, but in practice will look more like trying to put a jinn back into a bottle. Perhaps we will start seeing the first high-profile "sue them for seven generations" cases on Potter books. It does not discourage those who will share by other means. And reading good books is really about sharing them with others. First Sale Doctrine really should be applying here, but since the publishers want you to believe everything electronic is only "licensed", they can get around that.

Grr. What is it, other than the lure of profits by restricting the distribution chain, that drives manufacturers to try and impose locks on their products? Are they somehow worried they will be held liable if a rooted PS3 commits wire fraud?

Timothy (TRiG) said...

Thank you for an excellent write-up. It sounds like someone's read "The Right to Read" as a suggestion instead of a warning.


Juli Monroe said...

I realize I am coming late to this post, but you do realize that some Amazon MP3 files are also watermarked, right? Sure, you can see which ones and avoid them, but they do exist.

Ana Mardoll said...

Not precisely, or at least that's not my understanding.

Amazon doesn't watermark the file; the company that provides the MP3 to Amazon watermarks the file. So essentially -- in theory -- everyone who bought the MP3 from Amazon has the SAME watermark. In that scenario, it wouldn't be possible to trace an MP3 to a specific individual or purchase.

Anonymous said...
This comment has been removed by a blog administrator.

Post a Comment